znc: patch CVE-2024-39844

Details: https://nvd.nist.gov/vuln/detail/CVE-2024-39844 Backport commit[1] from https://github.com/znc/znc/releases/tag/znc-1.9.1 [1] 8cbf8d6281 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-04-02 02:49:12 +00:00 · 2026-01-09 22:28:39 +13:00 · 2026-01-09 22:28:39 +13:00 · e90c455347
commit e90c455347
parent bfd8dda3ba
2 changed files with 63 additions and 0 deletions
--- a/meta-networking/recipes-irc/znc/znc/CVE-2024-39844.patch
+++ b/meta-networking/recipes-irc/znc/znc/CVE-2024-39844.patch
@ -0,0 +1,62 @@
+From d3867e667ec813a448a0845087a8d87bad58402d Mon Sep 17 00:00:00 2001
+From: Alexey Sokolov <alexey+znc@asokolov.org>
+Date: Mon, 1 Jul 2024 09:59:16 +0100
+Subject: [PATCH] Fix RCE vulnerability in modtcl
+
+Remote attacker could execute arbitrary code embedded into the kick
+reason while kicking someone on a channel.
+
+To mitigate this for existing installations, simply unload the modtcl
+module for every user, if it's loaded.
+Note that only users with admin rights can load modtcl at all.
+
+While at it, also escape the channel name.
+
+Discovered by Johannes Kuhn (DasBrain)
+
+Patch by https://github.com/glguy
+
+CVE-2024-39844
+
+CVE: CVE-2024-39844
+Upstream-Status: Backport [https://github.com/znc/znc/commit/8cbf8d628174ddf23da680f3f117dc54da0eb06e]
+(cherry picked from commit 8cbf8d628174ddf23da680f3f117dc54da0eb06e)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ modules/modtcl.cpp | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/modules/modtcl.cpp b/modules/modtcl.cpp
+index c64bc43f..58e68f51 100644
+--- a/modules/modtcl.cpp
+++ b/modules/modtcl.cpp
+@@ -248,8 +248,9 @@ class CModTcl : public CModule {
+         // chan specific
+         unsigned int nLength = vChans.size();
+         for (unsigned int n = 0; n < nLength; n++) {
+            CString sChannel = TclEscape(CString(vChans[n]->GetName()));
+             sCommand = "Binds::ProcessNick {" + sOldNick + "} {" + sHost +
+-                       "} - {" + vChans[n]->GetName() + "} {" + sNewNickTmp +
+                       "} - {" + sChannel + "} {" + sNewNickTmp +
+                        "}";
+             int i = Tcl_Eval(interp, sCommand.c_str());
+             if (i != TCL_OK) {
+@@ -260,14 +261,16 @@ class CModTcl : public CModule {
+ 
+     void OnKick(const CNick& OpNick, const CString& sKickedNick, CChan& Channel,
+                 const CString& sMessage) override {
+        CString sMes = TclEscape(sMessage);
+         CString sOpNick = TclEscape(CString(OpNick.GetNick()));
+         CString sNick = TclEscape(sKickedNick);
+         CString sOpHost =
+             TclEscape(CString(OpNick.GetIdent() + "@" + OpNick.GetHost()));
+        CString sChannel = TclEscape(Channel.GetName());
+ 
+         CString sCommand = "Binds::ProcessKick {" + sOpNick + "} {" + sOpHost +
+-                           "} - {" + Channel.GetName() + "} {" + sNick + "} {" +
+-                           sMessage + "}";
+                           "} - {" + sChannel + "} {" + sNick + "} {" +
+                           sMes + "}";
+         int i = Tcl_Eval(interp, sCommand.c_str());
+         if (i != TCL_OK) {
+             PutModule(Tcl_GetStringResult(interp));
--- a/meta-networking/recipes-irc/znc/znc_1.8.2.bb
+++ b/meta-networking/recipes-irc/znc/znc_1.8.2.bb
@ -7,6 +7,7 @@ DEPENDS = "openssl zlib icu"

 SRC_URI = "git://github.com/znc/znc.git;name=znc;branch=master;protocol=https \
           git://github.com/jimloco/Csocket.git;destsuffix=git/third_party/Csocket;name=Csocket;branch=master;protocol=https \
+           file://CVE-2024-39844.patch \
          "
 SRCREV_znc = "bf253640d33d03331310778e001fb6f5aba2989e"
 SRCREV_Csocket = "e8d9e0bb248c521c2c7fa01e1c6a116d929c41b4"